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~ The MAILING DATE of this communication appears on the cover sheet with the correspondence address- 

All claims being allowable, PROSECUTION ON THE MERITS IS (OR REMAINS) CLOSED in this application. If not included 
herewith (or previously mailed), a Notice of Allowance (PTOL-85) or other appropriate communication will be mailed in due course. THIS 
NOTICE OF ALLOWABILITY IS NOT A GRANT OF PATENT RIGHTS. This application is subject to withdrawal from issue at the initiative 
of the Office or upon petition by the applicant. See 37 CFR 1.313 and MPEP 1308. 

1 . |EI This communication is responsive to Amendment filed on 13 January 2010. 

2. The allowed claim(s) is/are 1, 3-5, 7-9,11-13,15-16,18-20, and 24-28 . 

3. □ Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 

a) □ All b)DSome* c) □ None of the: 

1. □ Certified copies of the priority documents have been received. 

2. □ Certified copies of the priority documents have been received in Application No. . 

3. □ Copies of the certified copies of the priority documents have been received in this national stage application from the 

International Bureau (PCT Rule 17.2(a)). 
* Certified copies not received: . 

Applicant has THREE MONTHS FROM THE "MAILING DATE" of this communication to file a reply complying with the requirements 
noted below. Failure to timely comply will result in ABANDONMENT of this application. 
THIS THREE-MONTH PERIOD IS NOT EXTENDABLE. 

4. □ A SUBSTITUTE OATH OR DECLARATION must be submitted. Note the attached EXAMINER'S AMENDMENT or NOTICE OF 

INFORMAL PATENT APPLICATION (PTO-152) which gives reason(s) why the oath or declaration is deficient. 

5. □ CORRECTED DRAWINGS ( as "replacement sheets") must be submitted. 

(a) □ including changes required by the Notice of Draftsperson's Patent Drawing Review ( PTO-948) attached 

1 ) □ hereto or 2) □ to Paper No./Mail Date . 

(b) □ including changes required by the attached Examiner's Amendment / Comment or in the Office action of 

Paper No./Mail Date . 

Identifying indicia such as the application number (see 37 CFR 1.84(c)) should be written on the drawings in the front (not the back) of 
each sheet. Replacement sheet(s) should be labeled as such in the header according to 37 CFR 1.121(d). 

6. □ DEPOSIT OF and/or INFORMATION about the deposit of BIOLOGICAL MATERIAL must be submitted. Note the 

attached Examiner's comment regarding REQUIREMENT FOR THE DEPOSIT OF BIOLOGICAL MATERIAL. 



Attachment(s) 

1 . □ Notice of References Cited (PTO-892) 

2. □ Notice of Draftperson's Patent Drawing Review (PTO-948) 

3. □ Information Disclosure Statements (PTO/SB/08), 

Paper No./Mail Date 

4. □ Examiner's Comment Regarding Requirement for Deposit 

of Biological Material 



5. □ Notice of Informal Patent Application 

6. □ Interview Summary (PTO-413), 

Paper No./Mail Date . 

7. ^ Examiner's Amendment/Comment 

8. □ Examiner's Statement of Reasons for Allowance 

9. □ Other . 



/Tony Mahmoudi/ 

Supervisory Patent Examiner, Art Unit 2169 
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EXAMINER'S AMENDMENT 

1 . An examiner's amendment to the record appears below. Should the changes and/or 
additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 
1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the 
payment of the issue fee. 

Authorization for this examiner's amendment was given in a telephone interview with 
Brian Hoffman on 8 February 2010. 

2. An examiner's amendment to the record appears below. Should the changes and/or 
additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 
1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the 
payment of the issue fee. 

3. The application has been amended as follows: 

1 . (Currently Amended) A computer implemented method for gleaning file 
attributes independently of file format, the method comprising the steps of: 

a non-application-specific file attribute manager receiving a plurality of files in a 
plurality of formats , the plurality of files including a plurality of copies of a 
selected file from the plurality of files ; 
the file attribute manager scanning the plurality of received files in the plurality of 
formats; 

the file attribute manager gleaning file attributes from each of the plurality of scanned 
files based on a communications protocol used to receive each of the plurality 
of files, the file attribute manager gleaning different file attributes for different 
communications protocols; 

the file attribute manager storing the file attributes gleaned from each of the plurality 
of scanned files as a plurality of records in a database; 
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the file attribute manager indexing specific file attributes gleaned from specific files 
according to contents of the specific files, the specific file attributes being 
stored as ones of the plurality of records in the database; 

the file attribute manager storing a record for each of the plurality of copies of the 
selected file, each separate record indexed according to the contents of the 
selected file from the plurality of files, such that each separate record can be 
accessed by a single index; 

examining one of the plurality of files; 

retrieving from the plurality of records in the database a first record associated with 

the examined one of the plurality of files; 
retrieving from the plurality of records in the database a second record associated 

with a malicious file; 

analyzing the gleaned file attributes gleaned from the examined one of the plurality of 

files, the gleaned file attributes having been retrieved from the first record; 
analyzing one or more attributes of the malicious file, the one or more attributes of 

the malicious file having been gleaned from the second record; and 
determining whether a status of the examined one of the plurality of files is malicious, 

responsive to analyzing the gleaned file attributes and the one or more 

attributes of the malicious file. 

2. (Cancelled) 

3. (Previously Presented) The method of claim 1 wherein: 

specific types of file attributes are gleaned from a specific file as a function of a 
format of the specific file. 

4. (Previously Presented) The method of claim 1 wherein the file attribute manager 
indexing specific file attributes indexes according to a secure hash of the contents of each 
specific file. 

5. (Previously Presented) The method of claim 1 wherein the file attribute manager 
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indexing specific file attributes indexes according to a cyclical redundancy check of the contents 
of each specific file. 

6. (Cancelled) 

7. (Original) The method of claim 1 further comprising: 

deleting records from the database after the records have been stored for a specific 
period of time. 

8. (Previously Presented) The method of claim 1 wherein the non-application- 
specific file attribute manager is incorporated into one selected from the group consisting of: 

a firewall; 

an intrusion detection system; 

an intrusion detection system application proxy; 

a router; 

a switch; 

a standalone proxy; 
a server; 
a gateway; 

an anti-virus detection system; and 
a client. 

9. (Currently Amended) A non-transitory computer-readable storage medium 
containing a computer program product for gleaning file attributes independently of file format, 
the computer program product comprising program code for: 

receiving a plurality of files in a plurality of formats , the plurality of files including a 
plurality of copies of a selected file from the plurality of files ; 

scanning the plurality of received files in the plurality of formats; 

gleaning file attributes from each of the plurality of scanned files based on a 

communications protocol used to receive each of the plurality of files, the file 
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attribute manager gleaning different file attributes for different 

communications protocols; 
storing the file attributes gleaned from each of the plurality of scanned files as a 

plurality of records in a database; 
indexing specific file attributes gleaned from specific files according to contents of 

the specific files, the specific file attributes being stored as ones of the 

plurality of records in the database; 
storing a record for each of the plurality of copies of the selected file, each separate 

record indexed according to the contents of the selected file from the plurality 

of files, such that each separate record can be accessed by a single index; 
examining one of the plurality of files; 

retrieving from the plurality of records in the database a first record associated with 

the one of the examined plurality of files; 
retrieving from the plurality of records in the database a second record associated 

with a malicious file; 

analyzing the gleaned file attributes gleaned from the examined one of the plurality of 

files, the gleaned file attributes having been retrieved from the first record; 
analyzing one or more attributes of the malicious file, the one or more attributes of 

the malicious file having been gleaned from the second record; and 
determining whether a status of the examined one of the plurality of files is malicious, 

responsive to analyzing the gleaned file attributes and the one or more 

attributes of the malicious file. 



10. (Cancelled) 

1 1 . (Previously Presented) The computer program product of claim 9 further 
comprising: 

program code for gleaning specific types of file attributes from a specific file as a 
function of a format of the specific file. 
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12. (Previously Presented) The computer program product of claim 9 wherein the 
program code for indexing file attributes indexes according to a secure hash of the contents of 
each specific file. 

13. (Previously Presented) The computer program product of claim 9 wherein the 
program code for indexing file attributes indexes according to a cyclical redundancy check of the 
contents of each specific file. 

14. (Cancelled) 

15. (Original) The computer program product of claim 9 further comprising: 
program code for deleting records from the database after the records have been 

stored for a specific period of time. 

16. (Currently Amended) A computer system for gleaning file attributes 
independently of file format, the computer system having a non-transitory computer readable 
storage medium storing computer-executable instructions, the computer-executable instructions 
comprising: 

a reception module, configured to receive a plurality of files in a plurality of formats^ 
the plurality of files including a plurality of copies of a selected file from the 
plurality of files : 

a scanning module, configured to scan the plurality of received files in the plurality of 
formats, the scanning module communicatively coupled to the reception 
module; 

a gleaning module, configured to glean file attributes from each of the plurality of 

scanned files based on a communications protocol used to receive each of the 
plurality of files, the file attribute manager gleaning different file attributes for 
different communications protocols, the gleaning module communicatively 
coupled to the scanning module; 
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a storage module, configured to store file attributes gleaned from each of the plurality 
of scanned files as a plurality of records in a database, the storage module 
communicatively coupled to the gleaning module; 

an indexing module, configured to index specific file attributes gleaned from specific 
files according to contents of the specific files, the specific file attributes 
being stored as ones of the plurality of records in the database, the indexing 
module communicatively coupled to the storage module; 

the storage module, further configured to store a record for each of the plurality of 
copies of the selected file, each separate record indexed according to the 
contents of the selected file from the plurality of files, such that each separate 
record can be accessed by a single index; 

an examining module, configured to examine one of the plurality of files, the 
examining module communicatively coupled to the storage module; 

a retrieval module, configured to retrieve from the plurality of records in the database 
a first record associated with the examined one of the plurality of files, the 
retrieval module communicatively coupled to the examining module and the 
storage module; 

the retrieval module, also configured to retrieve from the plurality of records in the 
database a second record associated with a malicious file; 

an analysis module, configured to analyze the gleaned file attributes gleaned from the 
examined one of the plurality of files, the gleaned file attributes having been 
retrieved from the first record; the analysis module communicatively coupled 
to the retrieval module; 

the analysis module, also configured to analyze one or more attributes of the 

malicious file, the one or more attributes of the malicious file having been 
gleaned from the second record; and 

a status module, configured to determine whether a status of the examined one of the 
plurality of files is malicious, responsive to analyzing the gleaned file 
attributes and the one or more attributes of the malicious file, the status 
module communicatively coupled to the analysis module. 



Application/Control Number: 10/645,989 Page 8 

Art Unit: 2169 

17. (Cancelled) 

18. (Previously Presented) The computer system of claim 16 wherein: 

the gleaning module is further configured to glean specific types of file attributes 
from a specific file as a function of a format of the specific file. 

19. (Previously Presented) The computer system of claim 16 wherein the indexing 
module is further configured to index specific file attributes according to a secure hash of the 
contents of each specific file. 

20. (Previously Presented) The computer system of claim 1 6 wherein the indexing 
module is further configured to index specific file attributes according to a cyclical redundancy 
check of the contents of each specific file. 

21. (Cancelled) 

22. (Cancelled) 

23. (Cancelled) 

24. (Previously Presented) The method of claim 1 further comprising: 
responsive to determining the status of the examined one of the plurality of files to be 

malicious, blocking the examined one of the plurality of files. 

25. (Previously Presented) The method of claim 1 further comprising: 
responsive to determining the status of the examined one of the plurality of files to be 

legitimate, not blocking the examined one of the plurality of files. 



26. (Previously Presented) The method of claim 1 further comprising: 

applying at least one rule specifying how to use the gleaned file attributes to process 
the examined one of the plurality of files. 
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27. (Previously Presented) The method of claim 26 further comprising: 

selecting the at least one rule from a plurality of rules to apply specifying how to use 
the gleaned file attributes to process the examined one of the plurality of files. 

28. (Previously Presented) The method of claim 1 , wherein the plurality of files are 
received from a network connection. 



/Tony Mahmoudi/ 

Supervisory Patent Examiner, Art Unit 2169 



